Slashdot Mirror

← Back to Stories (view on slashdot.org)

Rogue PDFs Behind 80% of Exploits In Q4 '09

Posted by CmdrTaco on from the imagine-if-pdf-was-an-open-format dept.

CWmike writes "Just hours before Adobe is slated to deliver the latest patches for its popular PDF viewer, ScanSafe announced that by its counting, malicious Adobe Reader documents made up 80% of all exploits at the end of 2009. In the first quarter of 2009, malicious PDF files made up 56% of all exploits tracked by ScanSafe. That figure climbed above 60% in the second quarter, over 70% in the third and finished at 80% in the fourth quarter. Mary Landesman, a ScanSafe senior security researcher, said, 'Attackers are choosing PDFs for a reason. It's not random. They're establishing a preference for Reader exploits.' Exactly why hackers choose Adobe as their prime target is tougher to divine, however. 'Perhaps they are more successful,' she said. 'Or maybe it's because criminal attackers are human, too. We respond when we see a lot of people going after a particular product... We all want to go after that product, too. In the attacker arena, they might be thinking, 'Gee, all these reports of Adobe Reader zero-days, maybe I should get in on them too.'"

3 of 189 comments (clear)

  1. Or more likely by FreeUser · · Score: 5, Insightful

    How about "Adobe Reader is the only relevant PDF reader on the market"? Is it really that hard to understand?

    Or how about:

    "Adobe Reader is shit. Zero day exploits are like shooting ducks in a barrel." Or maybe "It's the platform, and Adobe is just the vector de jour. IE was last months, Office the month before that, and Flash (or something equally widespread, complex, superfulous and buggh) is next month's ..."

    Microsoft Windows users are known as the road-kill of the Information Superhighway for a reason, and Adobe can only take some small credit for their contribution to that.

    --
    The Future of Human Evolution: Autonomy
  2. Re:Me too? NOT by gad_zuki! · · Score: 4, Insightful

    Adobe reader's web plugin simply opens PDFs without any warning. Nor does it warn if there is javascript running on the PDF. Its a cracker's dream. Most other applications give some kind of warning, especially if there's something scripted in the document. Adobe does none of this. Heck, you can disable Javascript but it will helpfully remind you that its disabled and offer to unblock it if you attempt to open a pdf with javascript. Its really an incredibly terrible way to handle security.

    This thing should at least be shipping with js disabled and the only way to enable it is by going into Preferences. The web plugin should be retired and just force the pdf to open in the full reader. One can dream, right?

  3. Re:Me too? NOT by nine-times · · Score: 4, Insightful

    Most users/blockers will not allow EXEs, and can open "ZIP" files to determine if an EXE is enclosed.

    And IMO this is exactly why everyone should be wary of putting scripting languages into documents. We have a well-established convention of distinguishing "documents" from "applications"; "documents" are passive collections of information, whereas "applications" do stuff.

    We block applications and scripts because they do stuff and we can't easily know what it is that they do, but we don't block documents because, in theory, they can't do anything. Loading a document in its proper viewer application shouldn't do anything that the viewer wasn't explicitly designed to do. If you throw scripting applications and macros into the documents, then suddenly the "documents" do stuff too. This, in my opinion, is bad.